Coming from an understanding of Fermat's primality test, I'm looking for a clear explanation of the Miller-Rabin primality test.

Specifically: I understand that for some reason, having non-trivial square roots of 1 mod p means that p is definitely composite; and I gather that you can find these non-trivial square roots by squaring x, but I don't really understand what these reasons are. Specific examples of non-trivial roots of a composite number would be helpful.

What don't you understand about the explanation at the Wikipedia article, which also includes examples?
–
Qiaochu YuanSep 14 '10 at 5:09

4

I still think it is disingenuous to term it a "primality" test; better that it be called a "compositeness test". If a number fails it, it is definitely composite, but a number passing this does not necessarily imply that the number is prime.
–
Guess who it is.Sep 14 '10 at 5:50

@Qiaochu - the examples there just provide the steps, which I can easily reproduce. However, the examples don't walk you through it step by step. For instance, they talk about non-trivial roots (which as I understand it, is the fundamental concept behind the MR Test) but they never give an example of a non-trivial root.
–
SmasherySep 14 '10 at 6:04

4 Answers
4

Suppose $p$ was prime, and $y$ was a non-trivial square root of $1$ mod $p$.

Then we must have that $y^2 = 1 \mod p$ and so $(y-1)(y+1) = 0 \mod p$. This implies that either $y = 1 \mod p$ or $y = -1 \mod p$, which implies that $y$ is a trivial square root.

Thus, if there is a non-trivial square root of $1$ mod $p$, then $p$ has to be composite.

For an example of a non trivial square root of a composite, consider $p = 15$. We have that $4^2 = 16 = 1 \mod 15$. Thus $15$ is composite.

Note that the witness in the primality test is not necessarily a non-trivial square root of $1$ mod $p$.

The fact about non-trivial square roots can be used to prove that if $p$ is prime, then for any $a$ relatively prime to $p$, some power of $a$ from a given set of powers (the powers are based on the even factors of $p-1$) must be $-1$ or a specific odd power of $a$ (again based on factor of $p-1$) must be $1$.

If for some $a$ none of the above set of powers is $-1$ and the specific odd power is not $1$, then it must be the fact that $p$ is composite.

It can also be shown that for composite $p$, the chances of finding such $a$ is atleast $3/4$. This $a$ is the witness in the primality test and is not necessarily a non-trivial square root of $1$ mod $p$.

The squaring that is done is to get the powers described above which are based on the factors of $p-1$.

The wiki page has really got a lot of good information (including the exact powers of $a$ that need to be taken): Miller Rabin Primality Test

+1 - Thanks; very clear. Two things I still don't understand: why do we use even factors of p-1 for our testing; and once we get to -1 or 1, why are we so sure it's composite/probable prime?
–
SmasherySep 14 '10 at 6:25

2

@Smash: The reason we take factors of p-1 is that by Fermat's little theorem a^(p-1) = 1 mod p if p is prime. So if p-1 = 2^{r}.s. We also have that (a^{2^{i}}.s)^{2} = a^{2^{i+1}s), so we get square roots of 1 among those powers. The wiki page has a good write up of that.
–
AryabhataSep 14 '10 at 13:57

Theorem $ $ One may quickly factor $\rm m>1\,$ given a polynomial with more roots mod $\rm\, m\,$ than its degree. For suppose that, modulo $\rm m,\;$ the polynomial $\rm\, f(x)\ne 0\,$ has degree $\rm\,n\,$ but has $\rm\,n+1 \,$ distinct roots $\rm\,r_{\,i}.\,$ Then one of $\rm\;gcd(m,\,r_{\,i} - r_{\,j}),\; i\ne j \,$ must yield a proper factor of $\rm\,m.\,$ For if that failed, then all of the gcds must be improper hence $1,\,$ not $\rm\;m \;$ since $\rm\; i\ne j\;\Rightarrow\; r_{\,i} \not\equiv r_{\,j}\ (mod\ m).\,$ Now an induction using the Factor Theorem yields $\rm\;f(x) = (x-r_1)\cdots(x-r_{n+1})\; g(x),\;\; g(x) \ne 0 \;\;$ contra $\rm\,\deg\, f = n.$

If $p$ is prime then $\mathbb{Z}_p$ (integers modulo $p$) is a field. It is a basic result in algebra that in a field, a polynomial of degree $n$ has at most $n$ roots, and so the polynomial $x^2-1$ has exactly two roots: $1$ and $-1$ (which exist in every field).

If $n$ is composite, then $\mathbb{Z}_n$ is never a field because not all elements have an inverse; it it well known that $a\in \mathbb{Z}_n$ has an inverse if and only if $a$ is relatively prime to $n$. Let's look at the case $n$ is the product of two primes, $n=pq$. In this case we can do arithmetic in $\mathbb{Z}_n$ by doing arithmetic in $\mathbb{Z}_p$ and $\mathbb{Z}_q$ and combining the results using the Chinese remainder theorem (which basically states that $\mathbb{Z}_n\cong\mathbb{Z}_p\times\mathbb{Z}_q$. Since $\mathbb{Z}_p$ and $\mathbb{Z}_q$ are both fields, $1$ has two roots in each of them. For every combination of a root from $\mathbb{Z}_p$ and a root from $\mathbb{Z}_q$ we'll get a root of 1 in $\mathbb{Z}_n$, meaning we'll get 4 roots of 1.

The major challenge of the Miller-Rabin test is to show that there is a "large" chance to stumble upon a non-trivial root while squaring random elements of $\mathbb{Z}_n$, and the proof, although not difficult, is not immediate either.

To be fair, a lot of things in number theory about primes fail for 2. Hence the frequent "Let $p$ be an odd prime..."
–
Guess who it is.Sep 14 '10 at 6:14

So where does the squaring come in? The step of x = x^2 still confuses me.
–
SmasherySep 14 '10 at 6:26

Smashery: It's modular exponentiation. Square x and take the appropriate remainder.
–
Guess who it is.Sep 14 '10 at 6:39

2

Miller-Rabin is basically a smart version of the Fermat test. In the Fermat test, you choose some a at random and compute a^{n-1} and compare it to 1. Computing the (n-1)th power is slow if it's done directly, so the trick is to cut time by repeated squaring. The extra idea Miller-Rabin adds is to verify that during this squaring process we don't gain nontrivial roots of 1.
–
Gadi ASep 15 '10 at 14:20

I tried to edit/TeXify your answer as well as I was able to. You might want to have a look whether my edits follow your original intentions. It might also help you to get basics of the TeX syntax in the way it is used at this site.
–
Martin SleziakMay 27 '11 at 12:50

Brilliant proof. There are some mistakes of Latex of the exponents.
–
alinsoarOct 27 '12 at 23:31